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Android Security Model 

Android's new toys 

Isolation Basics 

Device Information Sources 



Android Security Model 

• Linux + Android's Permissions 

• Application isolation - note editor can't read email 

• Distinct UIDs and GIDs assigned on install 




cmd - adb :hell 



:em 

luetootl f 



bluetooth 94 

rad-io 100 

root 174 

root 106? 

app_B 173 

root 214< 

root 228; 

app_ll 22B! 

shell 2591 

app_36 260! 

app_0 260! 

app_D 260! 
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22824 2 
22859 31 
25918 38 
26052 31 
26090 31 
26095 31 



25918 



\ 25044 ffffffff 
728 172 c00a6164 
c016df24 ( 
c0058fd4 [ 
3116 468 ffffffff ; 
1448 328 c00a6164 
140752 13912 ffffffff 
c0032dc8 ( 
C0175670 [ 
131380 17068 ffffffff 
652 136 c0197308 i 
c0032dcE ( 
10 1844 11280 ffffffff 
724 228 c0049ec0 : 
109832 19684 ffffffff 
99240 14580 ffffffff i 
9446E 12964 ffffffff i 



96552 13308 ffffffff ; 



868 328 00000000 ; 



afe0b74c 
afe0c69c 



00000000 



afe0c69c 
afe0cE24 
00000000 
00000000 

afe0c824 
afeOcObc 



S system_server 

S /system/bi n/hci attach 

D ksdiorqd 

S tiwlan_wifi_wq 



afe0cE24 
afe0c4cc 

afe0c824 
afe0c824 
afe0c824 



afe0c824 



afe0b50c 



S /system/bi n/hci d 

S com. android. phone 
D audmqr_rpc 
5 mmccia 

^ android. process. acore 
j ^system/bin/debuggerd 
D audmgr_rpc 

S com. google. process. gapps 
S /system/bi n/sh 

S com. googl e . andr oi d . von research 
S com. andr oid.im 
S android. process. Tin 



E au.com. i 



R ps 




Android Security Model 



Rights expressed as Permissions & Linux groups! 



cmd - adb shell 



C:\>adb shell 

$ id 

id 



uid=2000(shel 1 ) gid=2000(shel 1 ) groups = 1003( graph ics ),1004( input ) 
. 1007( log) , 1011 (adb) , 3001 ( net_bt_admi n) , 3002? net _bt ) , $003( i net ) 



Q aBD O 5:09 PM 

$ id 

uid=10026(app_26) gid=1 0026(app_26) grou 
ps=3003(inet) 

$1 




iSEC 

PARTNERS 



Android's New User Mode Toys 



Activities - Screens that do something, like the dialer 
Services- background features, like the IM service 
Broadcast Receivers -actionable notifications (startup!) 
Content Providers - shared relational data 
Instrumentations - rare, useful for testing 



All secured with Android Permissions like: 

"android. permission. READ_CONTACTS" or 
u android. permission. BRICK" 

See Manifest. permissions and AndroidManifests near you 
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Android's New Toys: Intents 

• Like hash tables, but with a little type / routing data 

• Routes via an Action String and a Data URI 

• Makes platform component replacement easy 

• Either implicitly or explicitly routed / targeted 

Intent { action=android. intent, action. MAIN 

categories={android. intent. category.LAUNCHER} 

flags=oxio2ooooo 

comp={au. com. phil/au. com. phil. Intro}} 



iSEC 

PARTNERS 



Android's Attack Surfaces 

• Isolated applications is like having multi-user system 

• Single Ul / Device -> Secure sharing of Ul & 10 

• Principal maps to code, not user (like browsers) 

• Appeals to userforall security decisions i.e. Dialer 

• Phishing style attack risks. 

• Linux, not Java, sandbox. Native code not a barrier. 

• Any Java app can exec a shell, load JNI libraries, write 
and exec programs - without finding a bug. 
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Android's Attack Surfaces 

• System Services - Not a subclass of Service 

• Privileged: some native u servicemanager" 

• Some written in Java, run in the system_server 

• SystemManager.listServices() and getService() 

• Exposed to all, secured at the Binder interfaces 

44 on a Annalee's Cupcakel .5r3 T-Mobile G1 : activity, activity.broadcasts, 
activity.providers, activity.senders, activity.services, alarm, appwidget, audio, 
battery, batteryinfo, bluetooth, bluetooth_a2dp, checkin, clipboard, 
connectivity, content, cpuinfo, devicestoragemonitor, hardware, 
input_method, iphonesubinfo, isms, location, media.audio_flinger, 
media.camera, media.player, meminfo, mount, netstat, notification, package, 
permission, phone, power, search, sensor, simphonebook, statusbar, 
SurfaceFlinger, telephony.registry, usagestats, wallpaper, wifi, window 
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System Service Attack Surface 

• Some are trivial ICIipboard.aidl-ClipboardService 

Or '"clipboard" to getService() 

• CharSequence getClipboardText(); 

• setClipboardText(CharSequence text); 

• boolean hasClipboardText(); 

public CharSequence C|etClipbOardTeXt ■ ) { 

synchronized :th± 3 ) { 

return mClipbaard; 

} 
} 
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System Service Attack Surface 

Some system services are complex, even with source: 

SurfaceFlinger Native Code (C++) 

no AIDL defining it or simple Stubs to call it with. 

WindowManagerService. performEnableScreen () 

IBinder surfaoeFlinger = ServiceManager . getService ("SurfaceFlinger") ; 
if (aurfaceFlinger != null) { 

//Log.i{TAG, "******* TELLING SURFACE FLINGER WE ARE BOOTED! "); 

Parcel data = Parcel . obtain () ; 

data . writelnterfaceToken ("android. ui . ISurfaceComposer") ; 

surfaceFlinger . transact ( IBinder . FIRST_CALL_TRANSACTION, 

data, null, 0} ; 
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Android's New Kernel Mode Toys 

• Binder -/dev/binder 

• AIDL: Object Oriented, Fast IPC, C / C++ / Java 

• Atomic IPC - ids parties, moves Data, FDs & 
Binders 

• Similarto UNIX domain sockets 

• Ashmem -Anonymous shared memory 

• Shared memory that can be reclaimed (purged) 
by the system under low memory conditions. 

• Java support: android. os.MemoryFile 
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New Android Toys 



18 Android devices by 8 or 9 manufacturers in 2009? 








^^^^^^^x 
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- 


pJ|U8| 


\ 


. 
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iSEC 

PARTNERS 





Images from High End Mobile Graphix blog. 
http://highendmobilearafix.bloaspot.com/ 
Bottom right image from Gizmodo 
http://www.gizmodo.com 
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Understanding New Devices 

• What software is installed on my new phone? 

• Anything new, cool, or dangerous added by the 
manufacturer or new features for my apps to use? 

• How will updates work? Do they have something for 
deleting that copy of ig84(*) from my library. 

• Is the boot loader friendly? 

• Will I have root? What about someone else? 

• Which apps are system and which are data. 



Even if Amazon or Ahmadinejad intend to update you, it shouldn't be a surprise 
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Exploratory Tools 



Logcat or DDMS or the u READ_LOGS" permission! 
Android SystemProperties - property_service 
Linux 

• /proc 

• /sys (global device tree) 

• /sys/class/leds/lcd-backlight/brightness 

• dmesg i.e. calls to syslog / klogctl 

• syscall interface 

• File system o+r or groups we can join 

• APKs in/system/app 
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Exploratory Tools 



/data/system/packages.xml 

• Details of everything installed, who shares 
signatures, definitions of UIDs, and the location of 
the install APKs for you to pull off and examine. 

/proc/binder-the bindertransaction log, state, and 
stats 

/proc/binder/proc/ 

• File for each process using binder, and details of 
every binder in use - read binder.c 

/dev/socket- like zygote and property_service 

/system/etc/permissions/platform.xml 



iSEC 



16 



Exploratory Tools 



• DUMP permission - adb shell or granted 

public void uUtTip iFileDeacriptcr fd r String [] arga) thrcwa 3.emctelxceptic!ir" 

• dumpsys - dumps every system service 
ServiceManager.listServicesO 

Example from "activity.provider" dump: 

Provider android.server.checkin. . . 

package=android process=system. . .uid=1000 

clients=[ProcessRecord{4344fadO 

1 28 lxom.android. vending/1 0025}, ProcessRecord{433fd800 
30419:com.google.process.gapps/10011}, 
ProcessRecord{43176210 100: com. android.phone/ 1001 }, 
ProcessRecord{43474c68 31952:com.android.calendar/10006}, 
ProcessRecord{433e2398 30430:android.process.acore/10008}] 
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Exploratory Tools 



Android Manifest aka AndroidManifest.xml 

• Not only does the system have one, but every app 

• Defines exported attack surface including: 

• Activities, Services, Content Providers, 
Broadcast Receivers, and Instrumentations 

SystemServices /those privileged System APIs 

• Primarily what my tools use 

• Package Manager - "package" service 

• Activity Manager- u activity" 

• Some non-services like Settings 
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Looking at "Secret Codes 



// 



android. provider.Telephony (private @hide code) 
caught my eye with this: 



* Broadcast Action: A "secret code" has been entered in the dialer. Secret codes are 

* of the form *#*^code>^*^*. The intent will have the data URI:-^/p> 

* 

* -=p>-=code>andrcid_secret_code://<code>-=/code>-=/p> 

*/ 

public static final String SECKET_CCH]E_ACTIG(N = 

"andr cid .provider _ Telephony _ SIC^II CCOI ,F r " 



Grep also noticed SECRET_CODE_ACTION in: 
/packages/apps/Contacts - SpecialCharSequenceMgr.java 
/packages/app/VoiceDialer - VoiceDialerReceiver.java 
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Looking at "Secret Codes 



// 



SpecialCharSequenceMgr.java (From contacts) 
/** 

* Handles secret codes to launch arbitrary activities in the form of *#*^<code >#*#*. 

* If a secret code is encountered an Intent is started with the android_secret_code://<code> 

* URL 

* @param context the context to use 

* @param input the text to check for a secret code in 

* @ return true if a secret code was encountered 
*/ 

static boolean handle SeCXetCode ! Cent e::t context. String input) { 

// Secret codes are in the form *#*^<code>#*#* 
int len = input .length ( J ; 

if {len >S SS input. atartaWith-"^ '-ft 1 ') ££ input .endaWith- »£*£*«■) ) { 
Int e n t intent = new Intent (intent a. SIC^I I_C03I_ACI I ON r 

Uri.parae ( " androi d_a e c r e t_c c de ://" + input ,aubatring(4 r len - 4) ) } ; 
context . aendBrcadcaat \ intent) ; 
re turn t rue ; 
} 

return falae; 
} 
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Looking at "Secret Codes 



// 



VoiceDialer's use of Secret Code - start at the Manifest: 

<reeeiver android: name="VoiceDialerReceiver"> 

■ ■ ■ 

<! — Voice Dialer Logging Enabled, *#*#VDL1#*#* — > 

<intent-f ilter> 

<action android : name="android . provider . Telephony . SECRET_CQDE" /> 
<data android: scheme="android_secret_code" android: host="8351" /> 

</ intent- filter> 

<!-- Voice Dialer Logging Disabled, *#*#VDL0#*#* — > 

<intent-f ilter> 

<action android: name="android. provider .Telephony. SECRET_CODE" /> 
<data android: scheme="android_secret_code" android: host=" 6350" /> 

</ intent- filter > 
</receiver> 
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Exploring Droids 



Tracking down a Secret Code with Manifest Explorer 
Exploring what's available with Package Play 
Exploring with Intent Sniffing 
Quick look at Intent Fuzzing 



Manifests and Manifest Explorer 

• Applications and System code has AndroidManifest 

• Defines permissions, and their use for the system 

• Defines attack surface 

• Critical starting point for understanding security 

• Stored in compressed XML (mobile -> small) in .apk 
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Manifests and Manifest Explorer 



a 



ii@ 6:48 AM 



Manifest Explore. 



Vi ew 



corn. android. phone i, I 



-"manifest 

sharedUserld-'android.uid. phone" 
sharedUserLabel -'Dialer" 
package-' com.android.phone"> 
<uses-permission 

name^android.permissfon.BRQADCAST.STICKY 1 '^ 
</uses-permisslon> 
<uses-permission 

nam e="android. permission. CALL_PHONE"> 
</uses-permisslon> 
<uses-permissEon 

name-'android. permission. CA UNPRIVILEGED 1 ^ 
</uses-permission> 
<uses-permission 

name= l, android.permission.WRITE_SETTINGS"> 
</uses-permission> 
<uses-permission 
name- 'android. permission. 
WRITE_SECU RE_SETTI N G S" > 
</uses-permission> 



1 


SBD^ 6:48 AM 


Manifest Exploi 






LUIIi.dlJUl UlU.pl UVlUei^.b^LLlI i^_. 


com. android. providers/telephony ( 


com. android. soundrecorder 


com.isecpartners.android.broadca \ j 


com. android. providers. drm 


com. android, mms 



Q| Kflhlllte 6:49 AM 


Manifest Explorer 






View 1 com. android. browser { ) 


I 






Save in File |{ sdcard/c0mandroid < 

| browser.txt 



package-' co rn.android.brow5er"> 

<uses-permission 

nam e="com. google. android.googleapps 
permission.GGQGLE_AUTH"> 
</uses-permission> 

<uses-permission 
name-'android. permission. 
b CCESS_COA RSE_LOCATI N " > 
</uses-permission> 

<uses-permission 
name-'android.permission. 
?\ CCESS_D OWN LOA D_M A N A G ER" > 
</uses- permission 

<uses~permlssIon 
name-'android. permission. 
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Manifests and Manifest Explorer 

Start of Browser's Manifest (com. android. browser) 

<! — 

/* // device /apps /Br owser/AndroidManife st. xml 
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Copyright 200 6 , The Android Open Source Project 



** Licensed under the Apache License, Version 2.0 (the "License"); 

** you may not use this file except in compliance with the License. 
You may obtain a copy of the License at 






http : / /www . apache . org/ licenses/LICENSE-2 . 



** Unless required by applicable law or agreed to in writing, software 
** distributed under the License is distributed on an "AS IS" BASIS, 
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
** See the License for the specific language governing permissions and 
** limitations under the License. 

V 

— > 

<manifest xmlns:android="http: //schemas. android. com/apk/res/android" 
package="com. android., browser "> 

<uses -permission 

android :name="com. google. android. googleapps. permission. GOOGLE_AUTH" /> 

<uses~permission 

android: name=" android, permission. ACCESS_COARSE_LOCATION"/> 
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Manifests and Manifest Explorer 

Manifest Explorer on Browser com.android.browser 
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Manifest Explorer 



view com.android.browser 



I 



<manifest 
package-'com.androld.browser^ 

<uses-per mission 

name= 1, com.google.androld*googIeapps. 
permisslon.GOOGLE_AUTH n > 
</uses- permission* 

<uses-permisslon 
name='android.permission. 
ACCESS_COARSE_LOCATION"> 
</uses- permission 

<uses-per mission 
name- 4 android.permlsslon. 
ACCESS_DOWNLOAD_MANAGER"> 
</jses-permlsslon> 

<uses-permlssion 
name- 'android.permlsslon. 
ACCESS.FINE.LOCATION^ 
</uses-permlssion> 

<uses-permtsslon 
name='android.permlssion. 
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Manifests and Manifest Explorer 

''Contacts and myFaves storage" com.tmobile.myfaves 

0©[s|EE3 QftBDO 12:03 AM H©[s|@[Ir] Q aiffla 12:06 AM 



Manifest Explorer 
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view I com.tmobile.myfaves f) 



^manifest 

shared Use rld= "and raid, u Id. shared" 

package="com.tmobile.myfaves n > 

< uses- permission 

name- , android.permission.CALLJ>HQNE l, > 
</uses-perrnission> 

< uses- permission 

name^android.permisslon.READJIONTACTS 1 ^ 
</uses-perrnission> 

<uses-permission 

nam e="andr oi d.per m i ssion.WRITE.CONTACTS": 
</uses-permission> 

< uses- permission 

name-'android.permission.SEND.SMS 1 ^ 
<7uses-permission> 
<uses-permission 

naime="android. permission. RECEIVE_SMS"> 
</uses-perrnission> 

< uses- permission 

nam e-'androtd. permission. READ_SMS"> 



' ?i iror.nDr rn F c r F n t 



Manifest Explorer 



View I com.tmobile.myfaves f) 



</receiver> 
< receiver 

name-'com.tmobile.myfaves.receivers.SecretCod 
eReceiver"> 

<intent-filter> 

<action 

nam e= r androi d.pr ovi der.Tel ephony.SECRET_CGDE 
"> 

<ZaGtterr* — -— ____ 

<data 
scheme- s andrQid_sea^et_code l, 
host= |, 87695 |, > 
-___</data> 

</intrnitHFHtef* -~~^ 

</receiver> 

<provlder 
name-'MyFavesProvider" 
readPermissi on-'androi d. perm issi on. READ JTONT 
ACTS 1 

writePermission= l, android.permission.WRITE_CON 
TACTS" 
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What does this "secret code" do? 



Got some weird WAPPUSH SMS / PDU 



Wappush Ripper 






Wappush 


Ripped Wappush 


Sender 

453 
Date 

|ul 19, 2009 3:51:07 PM 
Service Center Address 

+12063130004 
PDU 

0791 21 601 30300F4440381 54F3000490709 
1 51 1 5708A090605041 5CC000060D4 
User Data PDU 
60 D4 
Transaction ID 

PDU Type 

WBXML version 
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Selective logcat for ~ six seconds around entering the code: 

03.792: INFO/MyFaves(26963): starting service with intent: Intent { 

comp={com.tmobile.myfaves/com.tmobile.myfaves.MyFavesService} 

(has extras) } 

03.802: INFO/MyFaves(26963): handleMessage(4) 

04.372: INFO/MyFaves(26963): sending msg: 

1 635827901 501 3420001 000000000000000000000000000000000000 

000000000000000000000000 to 453 

06.732: INFO/MyFaves(26963): 

SMSStatusReceiver.onReceive(extras: Bundle[{id=100}]; resultCode: - 

1); action: sent 

06.762: INFO/MyFaves(26963): starting service with intent: Intent { 

comp={com.tmobile.myfaves/com.tmobile.myfaves.MyFavesService} 

(has extras) } 

06.762: INFO/MyFaves(26963): handleMessage(O) 

06.832: INFO/ActivityManager(54): Stopping service: 

com.tmobile.myfaves/.MyFavesService 

09.122: INFO/MyFaves(26963): queuelnboundSMSMesssage: 05 

09.152: INFO/MyFaves(26963): starting service with intent: Intent { 

comp={com.tmobile.myfaves/com.tmobile.myfaves.MyFavesService} 

(has extras) } 

09.162: INFO/MyFaves(26963): handleMessage(6) 
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I PKG 
t PLAY? 



si Package Play 
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Shows you installed packages: 

• Easy way to start exported Activities 

• Shows defined and used permissions 

• Shows activities, services, receivers, providers 
and instrumentation, their export and permission 
status 

• Switches to Manifest Explorer or the Setting's 
applications view of the application. 
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PKG 



^y Package Play 



Package Play 



android 



au.com.phil 



com.ScanLife 



com.ajaxie.lastfm 



com.amazon.mp3 



mm android alarmrlnrle 
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activities Exported By Pr 



com.htc.fieldtest.FieldTestActi 



o 



Start Activity 




See Manifest 




System View 



Package Name: com.htc.fieldtest 



Package uses no permissions. 

Package defines no new permsslons. 

Exported Activities: 

com.htciieldtest.FieldTestActivity, 

co m . ht c. f i e I dt e st . Sett i ngsCo py r i ght A ct i vity 

Non-Exported Activities: 

co m . htc.fi e I dte st. Fi e I dTe stCo nf igA cti vity, 

Exported Broadcast Receivers: 
com.htc.fieldtest.FieldTestBroadcastReceiver 
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PKG 



ay Playing with "FieldTest 



n 



Lots of field tests in this FieldTest 
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PKG 
i PLAY? 



y Playing with "FieldTest 



n 



GSM page 


ARFCN 


000 


LAC 9e31 


RAC 01 


MNC/MCC 


31260 


RSSI 1 6 


Ncell Infol 


-99 dEm 


Ncell Info2 


-99 dErn 


Ncell Info3 


-99 dErn 


Ncell Info4 


-99 dEm 


Ncell Info5 


-99 dErn 


Ncell InfoS 


-99 dErn 


RX Quality 


16 


Frequent Hopping 


Not active 


Last registered network 


31260 


TMSI 


549ea85d 


Periodic Location Update Value 


1530 (rn in} 


BAND 


N/A 


Channel In Use 


N/A 


RSSI 1 


dEm 


Last cell release cause 


255 



3G Reselection Status 






ServingPSC C 


ServingU ARFCN C 


ServingAGC 


-64 dEn 


Se r vi ngECN 0_M_Va 1 u e 


oooc 


ServingECNO_N_Value 


00( 


Servi ngECN | 


RealECNO 


<n/a| 


Num3GCell :| 


RankPSC_1 


39! 


RankUARFCN_1 


203" 


RacnkRSCPJ 


-84 dEn 


RankCalRankRSCPJ 


-82 


RankECNO_1 


-12 dB 


RankCalRankECNO_1 


-20 


RankPSC_2 


262 


RankUARFCN_2 


208: T 


RankRSCP_2 


-103 dEm 


RankCalRankRSCP_2 


-3276IS 


RankECNO_2 


-31 dis 


RankCalRankECNO_2 


-3276H 
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VERBOSE/FieldTestAct 
VERBOSE/FieldTestAct 
VERBOSE/FieldTestAct 
VERBOSE/FieldTestAct 
VERBOSE/FieldTestAct 



ty(100): FT mode enabled 

ty(1 00): Response <- RIL: Query FT mode 

ty(1 00): Start test request 

ty(100): Request -> RIL 

ty(100): Responses RIL 
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PKG 



^y Package Play - Program Rights 



View Package 



Activities Exported By Package: 



com.htc.fieldtest. FieldTestActi 



o 



Start Activity M See Manifest I System View 



Package Name: com.htc.fieldtest 

Package uses no permssions. 

Package defines no new permssions. 

Exported Activities: 

co m . htc.fi e I dte st. H e I dTe stA cti vity, 

co m . htc.fi e I dte st. Setti ngsCo py r tghtA cti vity 

Non-Exported Activities: 

com.htc.fieldtestFleldTestConfigActivity, 

Exported Broadcast Receivers: 
com.htc.fieidtest.FieldTestBroadcastReceiver 



Manifest Explorer 



View I com.htc.fieldtest 



u 



< man if est 
sharedUserId="android.uid. phone" 



pacKage- com.mc.Tieiaiesi > 

< application 
label="Fleld TesT> 

<activity 
label^'TieldTest" 



nam e="Fi el dTestA cavity" 
process-' com. android. phone 1 " 
launchMode="3"> 



<intent-filter> 
<action 

name= |, android.intent.action.MAIN"> 

</actlon> 
^category 
name^'android-intent-category-DEFAULT 1 " 

</category> 

</intent-filter> 

</activity> 

<activity 



ps says: 

radio 1 00 31 1 52088 1 7524 ffffffff afe0c824 S com. android. phone 
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I PKG 
i rLAY! 



si Intent Sniffer 
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Monitoring of runtime routed broadcasts Intents 

• Doesn't see explicit broadcast Intents 

• Defaults to (mostly) unprivileged broadcasts 

Option to see recent tasks Intents (GET_TASKS) 

• When started, Activity's intents are visible! 

Can dynamically update Actions & Categories 
Types are wild-carded 
Schemes are hard-coded 
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^5J Intent Sniffer 



• GETTASKS 

• Sees other Activity's startup Intents: 



Intent { f lags=Dx3Q80DQQQ 

co rnp={com. google. android. system updater/com. google. android. system upc 

ater.SystemUpdatelnstal I Dialog} [has extras} } extras {firstPrompt - 

[132810) 

updateFile - f/cache/signed-kila-ota-1 50275.53dde318.zip) 

1 from recent tasks 



File can't be viewed before it is executed © 

Isn't in the open code 

Perhaps for u Google Experience" devices only? 
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^5J Intent Sniffer 




Update Actions 



Update Categories 



Show Stats 
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Intent Sniffer 
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[gsj Intent Sniffer 



Intents source listed at 
the bottom of each. 



Intent Sniffer 



Intents with 
components obviously 
come from recent tasks 



Recent Activities I I Broadcasts 



Show details 



_ 

Refresh 



technology- (Li-ion) 

voltage - [4083) 

\ from known action and data 



Intent{ 



action = and roid.intentactlon. AN Y_DATA_STATE 

[has extras) } extras {state - (CONNECTED) 

iface - frmnetO) 

apn - (epc.trnobile.com) 

J- from known action and data 

Intent { action=android.intent.action.MAIN 

cat egories={android.intent category, LA UN CHER} 

flags=0x1 0200000 

comp={com.isecpartners.android.intentsniffer/co 

m.isecpartners.android.intentsniffer.IntentSniffer 

1-1- from recent tasks 



iSEC 

PARTNERS 



37 




Intent Fuzzing 



Fuzzing can be fun, Java minimizes impacts 
Often finds crashing bugs or performance issues 
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Componets (59 ): 



com. android. phone. ProcessC () 





£ai|LllFtite^fl§!!Fl 



Services ^lftfl{m>(ssrajii@!i£ 


Componets (32 ): 


com. android, phone. Networkcf) 


w 


Null Fuzz Single 1 Null Fuzz All 1 



Can't launch * 

Corn ponentInfo{corn. android. phone/corn. android 

phone. NetworkQueryServlce} Not allowed to 

start service Intent { 

corn p={com.android.phone/co mi. android. phone. N 

etworkQuery Service} } without permission 

private to package 

Can't launch 

ComponentInfo{com.biggu.shopsawy/com.biggu.^. 

hopsawy.androidservice.locationpinger.LocationPI 

nger} Not allowed to start service Intent { 
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Concluding Thoughts 

Hidden packages, root & proprietary bits 
Common problems 
Possible aardvark raffle 
Questions 



Android's Private Parts 

• Platforms need to change internals to evolve 

• App developers should avoid the shakiest bits 

• Security researchers don't 

• We see this marker on classes, or individual methods 

@hide 



/** 

* @hfde Broadcast intent when the volume for a particular stream type changes. 

* Includes the stream and the new volume 
* 



* @see #EXTRA_VOLUME_STREAM_TYPE 

* @see #EXTRA_VOLUME_STREAM_VALUE 



*/ 

SSdkConstant (SdkConstantType . BROADCAST_INTENT_ACTION) 

public static final String VOLUME_CHANGED_ACTION = "android. media . VOLUME_CHANGED_ACTION TI 

This is to help developers avoid mistakes 
NOT a security boundary, trivially bypassed 
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Root lockdown 

Carriers or Manufacturers 

• Locking down the phone means securing for - not 
against users. Don't pick a fight with customers. 

• People with root won't upgrade & fix systems 

• Schemes for maintaining root are dangerous 

Market Enabler- little program to enable market 

• Needs root to set system properties 

• Only asks for INTERNET" permission 

• For this to work the Linux sandbox was defeated 
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// Getting Root ;) 

process = Runtime. get Rim time (] .exec ("su") ; 
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Proprietary bits 



• Radio firmware is private & highly privileged 

• ManyWiFi cards are similar-GPL purity combat 

• Computer bios too 

• Think about the phone switches on the backend 

• Do you really know what's in the heart of your CPU 

• Do you even know what VPRO is? 
Keep perspective & a disassembler 
Search the net for platform documentation 
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Common Problems 

• Implicit vs. Explicit Intents 

• Too many or few permissions 

• Data source & destination 

• Who sent this broadcast 

• Who might be able to see this 

• Trusting external storage (Fat-32 no security for you) 

• Users with unpassworded setuid root shells, su, etc. 

• Implementing non-standardized features 

• OTA updates, application distribution & update 
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Special Thanks 



• iSEC Partners, especially Chris Palmer 

• Thanks for all your help & feedback getting this ready 

• Google's Android Team 

• They are awesome 

• Special thanks to: Rich Cannings, Dianne Hackbom, 
Brian Swetland, David Bort 

• My clients who can't be named; but who help keep 
my mental hamster in shape. 

• Sorry I can't list you in a compressed o+r manifest 
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Questions? 



iSEC 
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Questions? 



Incase you need some sample questions: 

What is Intent reflection? 

How would I secure a root shell for users of my 
distribution of Android? 

How do I spy on users, without being publicly humiliated 
like SS8 was in the United Arab Emirates? 

How do I stop someone naughty from sending my app an 
Intent? 

What's the deal code signing that doesn't require a 
trusted root? 

What's the parallel between the browser security model 
and the Android security model you mentioned? 
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Thank you for coming! 



Want a copy of the presentation/tool? 
Email: 

blackhat® isecpartners.com 

...and get all the iSEC Partners BH USA 2009 presentations and tools 
It is also be available on our web site: https://www.isecpartners.com . 

Contact me about Android stuff at 

AndroidSecuritvPaper(a)isecpartners.com 

or come introduce yourself 
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